Feat/erc repository

[gonzalomarcote]

[TA-XXXX]: Feat/erc repository

Changes 🛠️

app/package

• Migrating to ECR and docker distroless images

Summary by CodeRabbit

• Chores
  • Switched CI builds to AWS ECR with consistent tag propagation, cache-backed Buildx builds, and parallelized job wiring; unified workflow inputs to a single tag parameter.
  • Normalized and reformatted CI/YAML structure and job wiring.
  • Replaced Node base images with distroless variants and added a pnpm build-time argument for flexibility.
  • Made deploy tooling configurable (dynamic Helm/kubectl versions and role updates).
  • Helm charts now use private registry images, add resource requests/limits, secret mounts, and two ingress hosts.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fast-auth-spa	Ready	Preview, Comment	Jan 30, 2026 4:06pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrate CI/CD to AWS ECR: rename workflow inputs base_image→tag, add AWS credentials/ECR login and Buildx cache, upgrade docker/build-push-action to v5, propagate short TAG across builds, switch runtime images to distroless, and update Helm charts and ingress to use ECR and additional relayer hosts.

Changes

Cohort / File(s)	Summary
GitHub Actions — ECR build workflows .github/workflows/build-base.yaml, .github/workflows/build-attester.yaml, .github/workflows/build-relayer.yaml, .github/workflows/build-custom-issuer.yaml	Replace DockerHub/GHCR flows with AWS ECR: add AWS credentials & ECR login, compute/propagate shortened TAG, restore/save Buildx cache, upgrade to docker/build-push-action@v5, change workflow input base_image→tag, push multi-tag images to ECR.
GitHub Actions — Orchestration & CI YAML .github/workflows/build-and-deploy.yaml, .github/workflows/pull-request.yml	Reformat/normalize workflows and expand per-job definitions; wire build jobs to propagate tags and dependences; concurrency and triggers preserved.
GitHub Actions — Deploy / Release .github/workflows/manual-deploy.yml, .github/workflows/release.yaml	Update assumed AWS role name and session, add kubectl setup and dynamic Helm version, and change nested workflow inputs from base_image→tag.
Dockerfiles (runtime/runtime args) docker/attester.Dockerfile, docker/custom-issuer.Dockerfile, docker/relayer.Dockerfile, docker/base.Dockerfile	Switch final runtime base to gcr.io/distroless/nodejs20, update final CMD paths for distroless layout, remove Dockerfile syntax directives, and add PNPM_VERSION build-arg used for pnpm install.
Helm charts / Kubernetes templates & values infra/chart/templates/attester.yaml, infra/chart/templates/custom-issuer.yaml, infra/chart/templates/relayer.yaml, infra/chart/templates/ingress.yaml, infra/chart/values/production.yaml, infra/chart/values/staging.yaml	Point images to private ECR URIs (291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/*), add attester resource requests/secret mounts/imagePullSecrets, introduce two relayer hosts and path-based ingress rules, and add host entries in production/staging values.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant AWS as AWS (STS/ECR)
    participant Buildx as Buildx/Cache
    participant K8s as Kubernetes/Helm

    GH->>AWS: Assume role / Configure credentials
    GH->>AWS: ECR login
    GH->>Buildx: Restore local build cache
    GH->>Buildx: Build images (docker/build-push-action@v5) with TAG
    Buildx->>AWS: Push images (TAG + latest) to ECR
    GH->>Buildx: Save local build cache
    GH->>K8s: Trigger deploy (Helm uses ECR tags)
    K8s->>AWS: Pull images for pods

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Added ALB ingress unified for privatenet #76: Related ingress changes—host-based rules and path-based backends overlap with this PR.
• Upated role & Adding private registry #56: Related deploy workflow updates (AWS role, kubectl/Helm steps) and registry migration to ECR.
• [137] Custom Backend JWT Issuer #65: Related custom-issuer CI/Dockerfile/Helm changes that overlap with build and deployment wiring.

Suggested labels

feature

Suggested reviewers

• AdriaCarrera
• GuillemGarciaDev

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feat/erc repository' is vague and uses non-descriptive terminology; it does not clearly convey the primary change of migrating to Amazon ECR and distroless images.	Use a more descriptive title that highlights the main change, such as 'Migrate to Amazon ECR and distroless Docker images' or 'Switch container registry to ECR and update base images'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description follows the required template structure with title, changes section, and package scope, but lacks detail about the scope and impact of the migration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/erc-repository

---

🧹 Recent nitpick comments

.github/workflows/build-relayer.yaml (1)

85-89: Consider handling missing cache directory gracefully.

If the build step fails before creating /tmp/.buildx-cache-new, the mv command will fail. While this won't break the workflow (the step runs with if: always() and failure here is non-critical), you could make it more robust.

Optional: Add existence check

     - name: Save cache
       if: always()
       run: |
         rm -rf /tmp/.buildx-cache
-        mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+        [ -d /tmp/.buildx-cache-new ] && mv /tmp/.buildx-cache-new /tmp/.buildx-cache || true

.github/workflows/build-base.yaml (1)

80-84: Same cache save pattern as other workflows.

Consider adding an existence check for consistency, as noted in the relayer workflow review.

.github/workflows/build-attester.yaml (1)

85-89: Same cache save pattern.

Consider the optional existence check as noted in other workflow reviews.

.github/workflows/build-custom-issuer.yaml (2)

15-18: Minor formatting inconsistency: missing blank line before permissions.

Other workflow files have a blank line between the inputs block and permissions block. Consider adding one for consistency.

Optional: Add blank line for consistency

       tag:
         required: true
         type: string
+
 permissions:
     # Needed to configure aws credentials step

---

84-88: Same cache save pattern.

Consider the optional existence check as noted in other workflow reviews.

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 415615b and a8025a0.

📒 Files selected for processing (5)

• .github/workflows/build-attester.yaml
• .github/workflows/build-base.yaml
• .github/workflows/build-custom-issuer.yaml
• .github/workflows/build-relayer.yaml
• .github/workflows/manual-deploy.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/manual-deploy.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: integration-contracts / integration
• GitHub Check: integration-packages / Build
• GitHub Check: build-base / Build

🔇 Additional comments (15)

.github/workflows/build-relayer.yaml (5)

12-19: LGTM: Input rename and permissions setup.

The input rename from base_image to tag aligns with the new ECR-based flow, and the OIDC permissions (id-token: write) are correctly configured for AWS credential federation.

---

28-33: LGTM: SHA tag shortening.

The 16-character truncation using bash substring syntax is valid and consistent with the other workflows in this PR.

---

38-47: LGTM: AWS credentials and ECR login.

The OIDC-based authentication flow with the IAM role and ECR login is correctly configured.

---

53-59: Cache action upgraded to v4.

This addresses the previous review feedback about actions/cache@v3 being outdated.
[approve_code_changes, duplicate_comment]

---

62-82: LGTM: Build and push configuration.

The build step correctly uses docker/build-push-action@v5 with ECR tags, Buildx caching, and the base image reference. The provenance: false setting avoids compatibility issues with ECR attestation support.

.github/workflows/build-base.yaml (5)

13-16: LGTM: Permissions for OIDC.

Correctly configured for AWS credential federation.

---

25-30: LGTM: SHA tag shortening.

Consistent with the other workflows.

---

35-47: LGTM: AWS credentials and ECR login.

OIDC-based authentication is correctly configured.

---

50-56: Cache action upgraded to v4.

This addresses the previous review feedback about actions/cache@v3 being outdated.
[approve_code_changes, duplicate_comment]

---

59-77: LGTM: Build and push configuration.

The base image build correctly omits BASE_IMAGE since this is the foundational image. Tags, caching, and ECR configuration are properly set.

.github/workflows/build-attester.yaml (3)

16-19: LGTM: Permissions and workflow structure.

The workflow follows the same ECR-based pattern as the other build workflows, with correct OIDC permissions.

---

53-59: Cache action upgraded to v4.

This addresses the previous review feedback about actions/cache@v3 being outdated.
[approve_code_changes, duplicate_comment]

---

62-82: LGTM: Build configuration.

Build arguments, ECR tags, and caching are correctly configured, with BASE_IMAGE pointing to the ECR base image.

.github/workflows/build-custom-issuer.yaml (2)

52-58: Cache action upgraded to v4.

This addresses the previous review feedback about actions/cache@v3 being outdated.
[approve_code_changes, duplicate_comment]

---

61-81: LGTM: Build configuration.

Build arguments, ECR tags, and caching are correctly configured, consistent with other workflows.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docker/base.Dockerfile (1)

13-13: ⚠️ Potential issue | 🔴 Critical

Build failure: env= syntax for secret mounts is not supported.

The pipeline fails with: "unexpected key 'env' in 'env=TURBO_TOKEN'". While the env= option was added in BuildKit 0.12+, the CI environment appears to not support it despite the # syntax=docker/dockerfile:1.7 directive.

🐛 Proposed fix using traditional secret file approach

 # Install package and app dependencies
-RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm install
+RUN --mount=type=secret,id=turbo_token \
+    TURBO_TOKEN=$(cat /run/secrets/turbo_token) \
+    pnpm install
 # Run dist packages
-RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm run bundle
+RUN --mount=type=secret,id=turbo_token \
+    TURBO_TOKEN=$(cat /run/secrets/turbo_token) \
+    pnpm run bundle
 # Run linting
-RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm run lint:packages
+RUN --mount=type=secret,id=turbo_token \
+    TURBO_TOKEN=$(cat /run/secrets/turbo_token) \
+    pnpm run lint:packages
 # Run checking types
-RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm run check-types:packages
+RUN --mount=type=secret,id=turbo_token \
+    TURBO_TOKEN=$(cat /run/secrets/turbo_token) \
+    pnpm run check-types:packages
 # Run testing
-RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm run test:packages
+RUN --mount=type=secret,id=turbo_token \
+    TURBO_TOKEN=$(cat /run/secrets/turbo_token) \
+    pnpm run test:packages

Alternatively, upgrade the CI runner's BuildKit version to 0.12+ and ensure the docker buildx plugin is updated.

docker/relayer.Dockerfile (1)

12-19: ⚠️ Potential issue | 🔴 Critical

Update Dockerfile syntax version to support env= parameter in secret mounts.

The --mount=type=secret,id=turbo_token,env=TURBO_TOKEN syntax requires Dockerfile frontend v1.10.0 or newer, but base.Dockerfile currently specifies # syntax=docker/dockerfile:1.7. This will cause the build to fail. Update base.Dockerfile to use # syntax=docker/dockerfile:1.10 (or newer) to enable this feature across all child Dockerfiles.

🤖 Fix all issues with AI agents

In @.github/workflows/build-attester.yaml:
- Around line 53-59: Update the GitHub Actions cache step that currently uses
actions/cache@v3 to actions/cache@v4: locate the "Restore cache" step (the step
with name "Restore cache" and uses: actions/cache@v3) and change the action
reference to actions/cache@v4 so the workflow uses the newer cache action for
compatibility and consistency with other build workflows.

In @.github/workflows/build-base.yaml:
- Around line 50-56: The workflow step named "Restore cache" is using the
outdated action reference actions/cache@v3; update the step to use
actions/cache@v4 by changing the uses value to actions/cache@v4 (leave the path,
key, and restore-keys fields as-is), then run a quick workflow lint or dry-run
to ensure the new action version is accepted by the runners.

In @.github/workflows/build-custom-issuer.yaml:
- Around line 52-58: The workflow step named "Restore cache" currently uses
actions/cache@v3; update that step to use actions/cache@v4 to match other build
workflows and ensure runner compatibility by changing the uses value from
actions/cache@v3 to actions/cache@v4 while keeping the existing path
(/tmp/.buildx-cache) and key/restore-keys values (${{ github.job }}-${{
runner.os }}-buildx-custom-issuer) unchanged.

In @.github/workflows/build-relayer.yaml:
- Around line 53-59: Replace the outdated actions/cache@v3 usage in the "Restore
cache" step with actions/cache@v4; locate the workflow step named "Restore
cache" (the step that currently has uses: actions/cache@v3 and keys like ${{
github.job }}-${{ runner.os }}-buildx-relayer) and update the uses reference to
actions/cache@v4 so the workflow uses the latest cache action version.

In @.github/workflows/manual-deploy.yml:
- Around line 109-116: The helm upgrade command is vulnerable to shell
globbing/word-splitting because inputs like ${{ github.event.inputs.environment
}}, ${{ github.event.inputs.relayer-tag }}, ${{ github.event.inputs.attester-tag
}}, ${{ github.event.inputs.custom-issuer-tag }}, and ${NOW} are unquoted;
update the helm invocation (the helm -n fast-auth upgrade ... --values
values/${{ github.event.inputs.environment }}.yaml --set-string timestamp=${NOW}
--set-string tagRelayer=${{ github.event.inputs.relayer-tag }} --set-string
tagAttester=${{ github.event.inputs.attester-tag }} --set-string
tagCustomIssuer=${{ github.event.inputs.custom-issuer-tag }}) to quote each
variable consistently (e.g. wrap each ${{ ... }} and ${NOW} in double quotes) so
inputs with spaces or wildcards are passed literally to Helm.

🧹 Nitpick comments (5)

infra/chart/templates/custom-issuer.yaml (1)

44-44: Consider templating the ECR registry URL.

The AWS account ID is hardcoded in the image path. For better maintainability across environments or accounts, consider extracting the registry base URL into a Helm value.

# In values.yaml:
# registry: 291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth

-        image: 291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/custom-issuer:{{ .Values.tagCustomIssuer }}
+        image: {{ .Values.registry }}/custom-issuer:{{ .Values.tagCustomIssuer }}

This change is optional and can be deferred if the account ID won't change.

.github/workflows/build-base.yaml (1)

80-84: Cache save step may fail if build step fails early.

If the build step fails before creating /tmp/.buildx-cache-new, the mv command will fail. Consider adding a check or using mv ... || true to prevent masking the actual build failure.

Proposed fix

     - name: Save cache
       if: always()
       run: |
         rm -rf /tmp/.buildx-cache
-        mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+        [ -d /tmp/.buildx-cache-new ] && mv /tmp/.buildx-cache-new /tmp/.buildx-cache || true

.github/workflows/build-and-deploy.yaml (1)

52-53: Consider making the deploy environment configurable.

The environment is hardcoded to 'staging'. If you plan to use this workflow for other branches or manual triggers in the future, consider making it dynamic based on the branch or as an input.

This is a minor suggestion and can be addressed later if needed.

.github/workflows/build-custom-issuer.yaml (1)

15-18: Minor: Inconsistent indentation in permissions block.

The permissions block uses 4-space indentation while other workflow files use 2-space indentation. Consider aligning for consistency.

Proposed fix

 permissions:
-    # Needed to configure aws credentials step
-    id-token: write 
-    contents: read
+  # Needed to configure aws credentials step
+  id-token: write
+  contents: read

.github/workflows/manual-deploy.yml (1)

75-79: Add a fail‑fast check for tool version variables.
These versions now come from repo/org vars; a missing or empty value will cause setup‑kubectl (and later Helm) to behave unexpectedly. Consider validating both before installation.

✅ Suggested guard step

+      - name: Validate tool versions
+        shell: bash
+        run: |
+          : "${{ vars.KUBECTL_VERSION:?KUBECTL_VERSION is required }}"
+          : "${{ vars.HELM_VERSION:?HELM_VERSION is required }}"
+
       # Kubectl install
       - uses: azure/setup-kubectl@v3
         with:
           version: ${{ vars.KUBECTL_VERSION }}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ffaeb6a and 1151a32.

📒 Files selected for processing (15)

• .github/workflows/build-and-deploy.yaml
• .github/workflows/build-attester.yaml
• .github/workflows/build-base.yaml
• .github/workflows/build-custom-issuer.yaml
• .github/workflows/build-relayer.yaml
• .github/workflows/manual-deploy.yml
• .github/workflows/pull-request.yml
• .github/workflows/release.yaml
• docker/attester.Dockerfile
• docker/base.Dockerfile
• docker/custom-issuer.Dockerfile
• docker/relayer.Dockerfile
• infra/chart/templates/attester.yaml
• infra/chart/templates/custom-issuer.yaml
• infra/chart/templates/relayer.yaml

🧰 Additional context used

🪛 actionlint (1.7.10)

.github/workflows/build-base.yaml

[error] 51-51: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/build-attester.yaml

[error] 54-54: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/build-custom-issuer.yaml

[error] 53-53: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/build-relayer.yaml

[error] 54-54: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 GitHub Actions: Pull Request

docker/custom-issuer.Dockerfile

[warning] 1-1: BuildKit local cache import not found: could not lock /tmp/.buildx-cache/index.json.lock (no such file or directory).

docker/base.Dockerfile

[error] 13-13: Build failed: docker buildx failed to solve due to unexpected key 'env' in 'env=TURBO_TOKEN' within RUN --mount=type=secret,id=turbo_token,env=TURBO_TOKEN pnpm install.

---

[warning] 1-1: BuildKit local cache import not found: could not lock /tmp/.buildx-cache/index.json.lock (no such file or directory).

docker/relayer.Dockerfile

[warning] 1-1: BuildKit local cache import not found: could not lock /tmp/.buildx-cache/index.json.lock (no such file or directory).

docker/attester.Dockerfile

[warning] 1-1: BuildKit local cache import not found: could not lock /tmp/.buildx-cache/index.json.lock (no such file or directory).

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: integration-contracts / integration
• GitHub Check: integration-packages / Build

🔇 Additional comments (16)

docker/relayer.Dockerfile (1)

30-35: LGTM on distroless migration.

The switch to gcr.io/distroless/nodejs20 is a good security improvement. The exec-form CMD is correctly used since distroless images lack a shell.

Note: The CMD path differs from other services (dist/src/main/main.js vs dist/src/main.js for attester/custom-issuer). Verify this reflects the actual relayer build output structure.

docker/base.Dockerfile (1)

1-3: Good improvements: syntax directive upgrade and parameterized pnpm version.

The Dockerfile syntax 1.7 and parameterized PNPM_VERSION are good practices for maintainability.

docker/custom-issuer.Dockerfile (1)

30-35: LGTM on distroless migration.

The switch to gcr.io/distroless/nodejs20 with exec-form CMD is correctly implemented. The CMD path dist/src/main.js is consistent with the attester Dockerfile.

.github/workflows/pull-request.yml (1)

13-45: LGTM on workflow restructuring.

The workflow correctly:

• Uses ${{ github.sha }} for consistent tagging across PR builds
• Pushes only the base image (push: true) while app images are built but not pushed (push: false)
• Maintains proper job dependencies with needs: [build-base]

infra/chart/templates/relayer.yaml (2)

48-48: ECR image reference looks correct.

The migration to AWS ECR (291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/relayer) is implemented correctly.

---

73-74: Verify ECR authentication with regcred secret.

The imagePullSecrets still references regcred. Ensure this secret is configured with ECR credentials (typically via aws ecr get-login-password or an ECR credential helper) rather than the previous DockerHub credentials.

docker/attester.Dockerfile (1)

30-35: LGTM on distroless migration.

The switch to gcr.io/distroless/nodejs20 is correctly implemented with exec-form CMD. Consistent with custom-issuer Dockerfile.

.github/workflows/release.yaml (1)

36-56: LGTM on input parameter rename.

The change from base_image to tag is consistent with the updated child workflows and maintains the same functionality.

infra/chart/templates/attester.yaml (1)

33-33: LGTM!

The ECR migration is consistent with other templates. The same optional refactor to template the registry URL could apply here for maintainability.

.github/workflows/build-base.yaml (1)

35-44: LGTM on AWS OIDC authentication setup.

Using OIDC role assumption instead of long-lived credentials is a secure approach for GitHub Actions to AWS authentication.

.github/workflows/build-and-deploy.yaml (1)

14-53: LGTM!

The job dependency chain is correctly structured: child build jobs wait for build-base, and deploy waits for all build jobs to complete. The tag propagation using github.sha is consistent across all jobs.

.github/workflows/build-relayer.yaml (1)

62-82: LGTM on build configuration.

The BASE_IMAGE build argument correctly references the ECR base image with the same truncated tag, ensuring build consistency across the pipeline.

.github/workflows/build-attester.yaml (1)

27-82: LGTM on overall workflow structure.

The workflow follows the same pattern as other build workflows with proper AWS OIDC authentication, ECR login, and consistent tag handling.

.github/workflows/build-custom-issuer.yaml (1)

27-81: LGTM on overall workflow structure.

The workflow is consistent with other build workflows and correctly implements the ECR migration.

.github/workflows/manual-deploy.yml (2)

70-71: Confirm the new AWS role exists and is trusted for this repo.
If gitHubDeploymentsRoleFastAuth isn’t created (or lacks the required EKS/Helm permissions and OIDC trust), deployments will fail at auth time.

---

83-83: Verify Helm version compatibility and pinning strategy.
Now that Helm is dynamic, ensure vars.HELM_VERSION is set to a supported v3 release for your charts/plugins and is intentionally pinned to avoid drift.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/manual-deploy.yml | head -120 | tail -25

Repository: Peersyst/fast-auth

Length of output: 1370

---

🏁 Script executed:

cd .github/workflows && wc -l manual-deploy.yml

Repository: Peersyst/fast-auth

Length of output: 83

---

🏁 Script executed:

sed -n '100,120p' .github/workflows/manual-deploy.yml

Repository: Peersyst/fast-auth

Length of output: 1080

---

Quote input tags to prevent shell expansion surprises.
GitHub inputs passed to Helm can contain special characters (wildcards, spaces) that trigger bash glob expansion or field splitting if unquoted. Apply quotes consistently to all input variables.

🛠️ Suggested fix

          helm -n fast-auth upgrade "${{ github.event.inputs.environment }}" ./ \
          --install --atomic --wait --timeout 301s \
          --values values/"${{ github.event.inputs.environment }}".yaml \
-          --set-string tagRelayer=${{ github.event.inputs.relayer-tag }} \
-          --set-string tagAttester=${{ github.event.inputs.attester-tag }} \
-          --set-string tagCustomIssuer=${{ github.event.inputs.custom-issuer-tag }} \
+          --set-string tagRelayer="${{ github.event.inputs.relayer-tag }}" \
+          --set-string tagAttester="${{ github.event.inputs.attester-tag }}" \
+          --set-string tagCustomIssuer="${{ github.event.inputs.custom-issuer-tag }}" \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	helm -n fast-auth upgrade ${{ github.event.inputs.environment }} ./ \
	--install --atomic --wait --timeout 301s \
	--values values/${{ github.event.inputs.environment }}.yaml \
	--set-string timestamp=${NOW} \
	--set-string tagRelayer=${{ github.event.inputs.relayer-tag }} \
	--set-string tagAttester=${{ github.event.inputs.attester-tag }} \
	--set-string tagCustomIssuer=${{ github.event.inputs.custom-issuer-tag }} \
	--debug
	helm -n fast-auth upgrade "${{ github.event.inputs.environment }}" ./ \
	--install --atomic --wait --timeout 301s \
	--values values/"${{ github.event.inputs.environment }}".yaml \
	--set-string timestamp=${NOW} \
	--set-string tagRelayer="${{ github.event.inputs.relayer-tag }}" \
	--set-string tagAttester="${{ github.event.inputs.attester-tag }}" \
	--set-string tagCustomIssuer="${{ github.event.inputs.custom-issuer-tag }}" \
	--debug

🤖 Prompt for AI Agents

In @.github/workflows/manual-deploy.yml around lines 109 - 116, The helm upgrade
command is vulnerable to shell globbing/word-splitting because inputs like ${{
github.event.inputs.environment }}, ${{ github.event.inputs.relayer-tag }}, ${{
github.event.inputs.attester-tag }}, ${{ github.event.inputs.custom-issuer-tag
}}, and ${NOW} are unquoted; update the helm invocation (the helm -n fast-auth
upgrade ... --values values/${{ github.event.inputs.environment }}.yaml
--set-string timestamp=${NOW} --set-string tagRelayer=${{
github.event.inputs.relayer-tag }} --set-string tagAttester=${{
github.event.inputs.attester-tag }} --set-string tagCustomIssuer=${{
github.event.inputs.custom-issuer-tag }}) to quote each variable consistently
(e.g. wrap each ${{ ... }} and ${NOW} in double quotes) so inputs with spaces or
wildcards are passed literally to Helm.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	supertest@​6.3.3
	buffer@​6.0.3
	source-map-support@​0.5.21
	tsconfig-paths@​4.2.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: pnpm-lock.yaml → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report